https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
In mid-September 2022, the European Commission unveiled a proposed Cyber Resilience Act legislation. Likely to be approved by the member-states, it mandates that products are designed, developed, and produced in ways that mitigate cybersecurity risks. This proposal aims to prepare the European Market for the Internet of Things (IoT) growth and reduce the economic losses generated by cybercrime (an estimated global annual cost of €5.5 trillion in 2021). A very interesting proposal with a significant flaw: space is never mentioned.
The four specific objectives of the Cyber Resilience Act are:
- Ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle;
- Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;
- Enhance the transparency of security properties of products with digital elements, and
- Enable businesses and consumers to use products with digital elements securely.
Summarizing these four objectives: this Act will affect the supply chains and the final digital products. It is unclear if also space assets will be considered digital products on the market.
Undoubtedly such legislation would be a significant step forward for the cybersecurity of the European Union and, in cascade, for its economic partners, but there are also substantial limitations.
This initiative, however, is likely to be a beautiful building built on cracking and unstable foundations. To date, the European Union has no regulations on the cybersecurity of space assets and this, combined with the absence of space in this proposal, risks crystallizing weaknesses. Furthermore, implementing the rules listed in this proposal will not be retroactive, and it is unclear whether it will also involve the space sector. So we risk having extremely safe ground and user segments weakened by an unregulated space segment.
Clearly, the role of the space sector in the security and safety of critical infrastructures and individual citizens is not yet fully understood by the legislators of the European Commission.